I am currently looking at the process of creating some advance security for my developers on my Test environment and whish to give developers access to run agents jobs, ssis packages, with their own credentials, etc without having to give Developers access to SYSADMIN. I would like the DBAs to remain the only users with SYSADMIN access. Has anyone got a similar sinario in their environment...if so, can you share it with me?? I am considering creating a group on the network for Developers and giving that group less access than SYSADMIN (eg: msdb: SQLAgentOperatorRole, SQLAgentReaderRole and SQLAgentUserRole) and placing all Developers in that group.

The Windows group for developers sounds like a good idea and Vidhya's suggestion of using the SQLAgent roles in msdb is a good choice for allowing non-sysadmins to maintain jobs. You should review the permissions for the role in BOL to make sure it's what you want.

If you want to restrict database access to smaller groups, you may want to create Windows groups for each of those and make them members of the larger group. In our shop, we have multiple systems and each system has it's own group of developers.

Greg and Vidhya's advice is good. I'd be wary of allowing developers to manage jobs and packages. They tend to "fix" things on the fly, often breaking others at the same time and potentially causing instability.

The reasons behind SOX and other regulations are to ensure stability and prevent unnecessary and unauthorized changes. This is one place I think developers should not be allowed access to do anything other than run jobs. Allowing them to make changes can lead to stability issues.

Thanks for that Steve. I based by comments on BrendA's statement that it's a test environment, but you reminded me that developers shouldn't have free reign to change jobs or packages that will end up in production.